[CentOS] disabling SELinux on CentOS: a good idea?

Fri Jul 13 20:23:58 UTC 2007
Kenneth Porter <shiva at sewingwitch.com>

On Friday, June 29, 2007 7:19 PM -0700 Rogelio Bastardo 
<scubacuda at gmail.com> wrote:

> I was banging my head against the wall trying to figure out why my Nagios
> install wasn't working on CentOS 4.5 (I'm used to Debian), and so I
> disabled SELinux and everything magically started working.
> Is this a good long term idea? Or is there a better way of doing things?

SELinux is a tool, part of a suite of defenses you deploy as part of 
"defense in depth" to protect your assets. Only you can decide how valuable 
your assets are and how much effort you should expend protecting them. (But 
an usurped box also hurts the rest of us, once it becomes a bot available 
to spam or otherwise attack other hosts.)

You should have other techniques in play to defend your system, such as 
iptables, tcp wrappers, LUA, SSL, and strong passwords. SELinux presents 
another hurdle that attackers must get past.

My policy is not to permanently disable it but to figure out how to use it. 
I'm currently reading the two premier books on it to understand it. So far 
I haven't had to disable it to get things working, but I've had to defer 
deployment of some services or figure out workarounds.